topic Re: How can I view and search multiple indexes from dashboards in Splunk Search

How can I view and search multiple indexes from dashboards

eyaluodba — Tue, 23 May 2017 17:57:39 GMT

I have a dashboard that lists/groups recently updated dashboards and I just wanted to know if there was a way to also add another column to view and search the indexes of those same dashboards.
Here is my code below

  <table>
    <search>
      <query>index=_internal source=*web_access.log* /app/  action=edit  | rex  "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)"  | table dashboard_name, _time, app_name, user </query>
      <earliest>-30d@d</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">50</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>

By the way- I am referring to the indices that the searches inside the dashboard belong to.

Re: How can I view and search multiple indexes from dashboards

woodcock — Tue, 23 May 2017 18:39:00 GMT

Dashboards do not "have indices" so I do not understand what you mean.

Re: How can I view and search multiple indexes from dashboards

cmerriman — Tue, 23 May 2017 18:47:07 GMT

are you referring to the indicies that the searches inside the dashboard belong to? so if you have a dashboard with two panels and one panel has a search in index=a and another panel with a search in index=b, you want to know that that dashboard "belongs" to indices a and b?

Re: How can I view and search multiple indexes from dashboards

eyaluodba — Tue, 23 May 2017 18:53:09 GMT

Yes this is what I mean. Sorry about the confusion

Re: How can I view and search multiple indexes from dashboards

teunlaan — Wed, 24 May 2017 06:52:40 GMT

You pust pull the searches that are used on the dashboards from the xml. Tricky but is that it can also Use Savedsearches.

we created a REST search, that lists all the dashboard with there searches that are used on them (in_line or savesearch, and what is the search). It's not exactly what you want, but you could use it to extract the searches from your dasboards.

| rest /servicesNS/-/-/data/ui/views splunk_server=*
| rename eai:* as *
| rename acl.* as *
| search isVisible=1 
| fields title data app
| makemv veld2 delim=","
| rex field=data max_match=0 "query\>(?<veld2>[^\<]+).*\<\/query"
| mvexpand veld2
| eval Applicatie=app
| eval Dashboard=title
| eval search=veld2
| fields search Applicatie Dashboard
| dedup search Applicatie Dashboard
| append
    [| rest /servicesNS/-/-/saved/searches/ splunk_server=*
    | dedup title
    | rename eai:* as *
    | rename acl.* as *
    | search sharing!=user
    | rename title as searchname
    | fields searchname is_scheduled search app
    | dedup searchname is_scheduled search app
    | join max=0 searchname
        [| rest /servicesNS/-/-/data/ui/views splunk_server=*
        | rename eai:* as *
        | rename acl.* as *
        | search isVisible=1 sharing!=user 
        | fields title data app
        | makemv savedsearch delim=","
        | rex field=data max_match=0 "search ref=\"(?<savedsearch>[^\"]+)\""
        | mvexpand savedsearch
        | eval Applicatie=app
        | eval Dashboard=title
        | rename savedsearch as searchname
        | fields searchname Applicatie Dashboard
    | dedup searchname Applicatie Dashboard ]]
| fields Dashboard, Applicatie, search, searchname, is_scheduled | eval is_scheduled=if(isnull(is_scheduled),"inline-search",is_scheduled)